From: Jeremy Allison <jra@samba.org>
Date: Wed, 26 Jul 2023 23:39:51 +0000 (-0700)
Subject: s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove... 
X-Git-Tag: ldb-2.8.0~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20df26b908182f0455f301a51aeb54b6044af580;p=thirdparty%2Fsamba.git

s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 27 10:52:50 UTC 2023 on atb-devel-224
---

diff --git a/selftest/knownfail.d/dfs_badpath b/selftest/knownfail.d/dfs_badpath
deleted file mode 100644
index 9fd16e99075..00000000000
--- a/selftest/knownfail.d/dfs_badpath
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smbtorture_s3.smb1.SMB1-DFS-BADPATH.smbtorture\(fileserver_smb1\)
diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 9113878fa8c..66b735e0b75 100644
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -324,6 +324,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		char *share = NULL;
 		char *remaining_path = NULL;
 		char path_sep = 0;
+		char *p = NULL;
 
 		if (posix_pathnames && (dst[0] == '/')) {
 			path_sep = dst[0];
@@ -374,6 +375,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		if (share == NULL) {
 			goto local_path;
 		}
+		/*
+		 * Ensure the server name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = server + 1; p < share; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		/*
 		 * It's a well formed DFS path with
 		 * at least server and share components.
@@ -388,6 +399,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		 */
 		remaining_path = strchr(share+1, path_sep);
 		if (remaining_path == NULL) {
+			/*
+			 * Ensure the share name does not contain
+			 * any possible path components by converting
+			 * them to _'s.
+			 */
+			for (p = share + 1; *p; p++) {
+				if (*p == '/' || *p == '\\') {
+					*p = '_';
+				}
+			}
 			/*
 			 * If no remaining path this was
 			 * a bare /server/share path. Just return.
@@ -395,6 +416,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 			*err = NT_STATUS_OK;
 			return ret;
 		}
+		/*
+		 * Ensure the share name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = share + 1; p < remaining_path; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		*remaining_path = '/';
 		dst = remaining_path + 1;
 		/* dst now points at any following components. */